The
financial services industry is among the most heavily targeted sectors
by cybercriminals. In 2015 we saw a surge in attacks that involved
extortion, social engineering, credential-stealing malware and
sophisticated threats. In order to better defend against these
unrelenting and increasingly malicious attacks, financial institutions
must continually strive to understand the threats and the actors behind
them.

Based
on correlating sector data and analyzing changes month on month here is
a brief overview of the new threats and tactics, techniques and
procedures (TTPs) that security professionals in the financial services
sector should know about. With relevant and contextual insight, security
teams can increase their cyber situational awareness and better align
security strategies in 2016.

1. Extortion. Two main actors, DD4BC and the Armada Collective,
led the way in Distributed Denial of Service (DDoS) extortion in 2015.
They use similar TTPs to extort Bitcoins from victims, beginning by
notifying them that they are vulnerable to a DDoS attack and increasing
attack activity and the ransom request if they are ignored. By the end
of the year more bad actors jumped into the fray including a group
called Hacker Buba which began tweeting links to customers’ private
financial data when its extortion attempts were unsuccessful.

2. Social media attacks.
There were several notable examples of attackers misusing social media
profiles, hiding behind fake profiles to gain trust and extract
information for social engineering purposes. Toward the latter part of
2015 both Facebook and Twitter began proactively monitoring for
suspicious activity and notifying users if they believe their accounts
had been targeted or compromised.

3. Spear phishing and whaling.
Achieved by the use of reconnaissance to make messages appear more
genuine, spear phishing attacks masquerade as a legitimate individual or
institution and co-opt their established trust to coerce the target
into providing credentials to the attacker. Whaling, targeting multiple
victims for larger sums of money, takes this method to the next level
and escalated in 2015. It involves spoofing executives’ emails – often
those of CEOs – to dupe finance departments to make large transfers into
fraudulent accounts. The directive often includes a URL that appears to
be a legitimate financial services website but in fact redirects the
target to an alternative site.

4. Point-of-Sale malware.
PoS systems remain a target for criminals despite the adoption of the
Europay, MasterCard and Visa (EMV) standard. A number of variants of POS
malware, including LusyPOS and BlackPOS, have been observed recently. There is also some evidence that cloning of EMV credit cards is possible.

5. ATM malware. Various ATM-specific malware threats were discovered in 2015. GreenDispenser
infects ATMs and allows criminals to extract large sums of money while
avoiding detection. Reverse ATM attacks also emerged. These attacks use a
combination of compromised PoS terminals and ‘money mules’ in order to reverse transactions after money has been withdrawn physically or sent to another bank account.

6. Other notable threats. Credential-stealing malware targeting banking customers is on the rise. For example, Dridex has been very active in 2015 and has garnered significant international law-enforcement attention. Exploit kits,
which offer a user-friendly way for attackers to infect victims, are
also highly active with some of the more popular kits, like the Angler
Exploit Kit, incorporating the ability to take advantage of new
vulnerabilities extremely quickly.

7. Sophisticated financial services threats.
Throughout 2015 multiple threat actors used sophisticated TTPs in order
to infiltrate organizations and exfiltrate valuable data. Typical TTPs
include the use of social engineering such as spear phishing, network
intrusion techniques and custom malware toolsets and utilities. Examples
of such threats include Desert Falcon and Equation Group which target multiple geographies and multiple sectors, including financial services. An organized gang named Anunak/Carbanak
targeted financial institutions specifically. This particularly
advanced group broke into internal networks, installed malicious
software and took control of victims’ machines to drain bank ATMs of
cash and steal money using the SWIFT network.

The
financial services sector will likely continue to experience cyber
threats more frequently than other industries and from threat actors
with access to a range of TTPs. While companies and law enforcement are
working together to identify and stop these attacks and the groups
behind them, financially-motivated cybercriminals never rest.
Organizations must continue their quest for better threat protection and
risk mitigation. By understanding which malicious actors may target an
institution, why, and their methods of attack, financial services firms
can enhance their cyber situational awareness and make more informed
decisions about where and how to focus their security resources.